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Abstract 

We develop a timeout based extension of propositional linear tempo- 
ral logic (which we call TLTL) to specify timing properties of timeout 
based models of real time systems. TLTL formulas explicitly refer to 
a running global clock together with static timing variables as well as 
a dynamic variable abstracting the timeout behavior. We extend LTL 
with the capability to express timeout constraints. From the expressive- 
ness view point, TLTL is not comparable with important known clock 
based real-time logics including TPTL, XCTL, and MTL, i.e., TLTL can 
specify certain properties, which cannot be specified in these logics (also 
vice- versa). We define a corresponding timeout tableau for satisfiability 
checking of the TLTL formulas. Also a model checking algorithm over 
timeout Kripke structure is presented. Further we prove that the validity 
checking for such an extended logic remains PSPACE-complete even in the 
presence of timeout constraints and infinite state models. Under discrete 
time semantics, with bounded timeout increments, the model-checking 
problem that if a TLTL-formula holds in a timeout Kripke structure is 
also PSPACE complete. We further prove that when TLTL is interpreted 
over discrete time, it can be embedded in the monadic second order logic 
with time, and when TLTL is interpreted over dense time without the 
condition of non-zenoness, the resulting logic becomes E}-complete. 

Keywords: Timeout systems, Real time logics, Model checking, Timing prop- 
erties. Timeout constraints. Tableau satisfiability, Undecidability 



1 Introduction 

Real-time systems are an important class of mission critical systems, which have 
been well studied for their design, implementation, and performance |OD08j . 
Designing faithful models for real-time systems essentially requires representing 
different kinds of timing behavior e.g., relative delays and timing constraints. 



In a timeout based design framework for real-time systems, timing requirements 
are modeled by defining the execution of an action in terms of an expiration of 
a delay, often represented as a timeout (or timer). Traditionally, timeouts have 
been used in real-time system designs for handling various timing scenarios 
including (forced) expiration of a waiting state. Dutertre and Sorea |DS04] 
used timeout based modeling to formally verify safety properties of the real- 
time systems with discrete dynamics. A timeout model contains a finite set 
of timeouts and a variable x which keeps track of the current (global) time. 
Timeouts define the time points when discrete transitions are enabled in the 
future. In practice, a typical real-time system may contain n concurrently active 
processes. Each process is associated with one timeout which denotes the future 
point of time when the next discrete transition for the corresponding process 
will occur. Transitions in this model are classified into two types - time progress 
transitions and discrete transitions. In a time progress transition, the time 
variable x is advanced to the minimum valued timeout (s). A discrete transition 
occurs when x is equal to the minimum valued timeout (s). If there are more 
than one processes, which have their timeouts equal to the minimum value, then 
some of them are randomly selected and corresponding discrete transitions take 
place with the values of the corresponding timeouts are set in the future. 



(x =Ti) =^ (send(cs_frame), ii := x + ai'^^ > 




Figure 1: State transition diagram of TTA startup algorithm at i node. Edges 
are labeled as: guard=> ([send/receive], timeout update, [record_time_var]), where 
(optional) record_time_var records the time when a transition occurs on the edge. 

Startup algorithm for Time-triggered Architecture (TTA) is an example of a 
system where timeouts are explicitly used in the design. TTA start-up algorithm 
executes on a logical bus meant for safety critical application in both automotive 
and aerospace industries. In a normal operation, N nodes share a TTA bus 
using a TDMA schedule. The state-machine of the startup algorithm executed 
on the nodes is shown in Figure [l] Each node i £ [1,-/V] has a local timeout Ti. 
Timeout increments in various states are defined in terms of timeout increment 
parameters: ap*'^" = {2N+i-l)X, af = (iV-f i-l)A, and a™™'' = N\ where 
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A refers to the (fixed) duration of each slot in a TDMA schedule. When a node is 
powered-on, it transits from init state to listen state and listens for the duration 
glisten determine if there is a synchronous set of nodes communicating on the 
medium. Similarly a node in coldstart state waits for reception of frames until 
clock X reaches the value of its timeout. If it receives such a frame, it enters 
the active state, else it broadcasts another frame, loops into the coldstart state, 
and waits for another a^'* time units. For a brief description of the TTA startup 
algorithm, the reader is referred to |DS04I. For a detailed exposition to startup 
protocols, we refer the reader to |SP02j. 

Denoting the minimum of all timeout values in any state by y, a timeout 
event in a state can be characterized by constraint x ~ y. Also the following 
properties might be of interesl[^ 

• In each state, either a timeout occurs or it is set in the future: 

a{{x = y) V (x < y)) 



• If a node i comes to the listen state (characterized by pus) at time x — tg, 
it will move to the coldstart state (characterized by pcs) in time no later 
than x = tQ + ap*™: 

Vto.n(pHs A (a; - to) ^ 0{Pcs A (x < to + af *^"))). 



Clearly ordinary linear temporal logic (LTL) |Pnu77[ FLPSSI would not allow 
expressing such properties. One needs to extend LTL with the capability to 
express timeout constraints. Even the popular real-time extensions of LTL, 
e.g., TPTL jAII94j cannot be used in a straightforward manner to express these 
constraints. For example, in order to use TPTL for model checking the TTA 
start-up model discussed above, the model would have to be redesigned using 
explicit clock based frameworks e.g., timed automata |AD94) . These clock based 
models in turn need to explicitly simulate the timeout semantics as discussed 
before. Also, as we shall discuss in Section 4.2 certain liveness properties on 
global timeout events cannot be expressed using TPTL. 

The primary objective of this work is to develop a real-time extension of 
LTL that can handle timeout contraints and possesses an efficient model check- 
ing algorithm as well. Over the past decade, there has been a sustained effort 
to increase the expressive power of temporal logic, which is a popular mecha- 
nism for specifying and verifying temporal properties of reactive and real-time 
systems. As we discuss further in Section |4j several attempts have been made 
to incorporate time explicitly into LTL, and to interpret the resulting logics 
over models that associate a time with every state. Examples of such logics 
are RTTL |Ost89j . XCTL |HLP90j . TPTL |AH94| . MTL |Koy90| etc. Quite 
a few verification tools have been developed based on these logics, e.g., DT- 
SPIN jBD98! . RT-SPIN jTC96j . UPPAAL BDL04]. Since these tools adopt 
clock-based modeling approaches they can be used to formalize timeout sys- 
tems only by first converting the timeout models into clock-based models (e.g., 
timed automata with clocks). On the other hand, the infinite bounded model 
checker of SAL (Symbolic Analysis Laboratory) |dMOR+04j can model timeout 



^For the formal semantic interpretation of these formulas see Section [2] 
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systems, however supports only LTL model checking and demands consider- 
able manual efforts while defining supporting lemmas and abstractions during 
the model checking process. In order to alleviate such problems timeout based 
modeling was earlier formalized by the authors in |SMR07| in terms of predicate 
transition diagrams and the current work deals with defining the corresponding 
specification logic and model checking procedure. 

The remainder of the paper is organized as follows: The logic TLTL is 
introduced in the Section [2] In Section [3j we introduce a monadic second 
order (MSO) theory of timeout state sequences and prove that TLTL when 
interpreted over discrete time can be embedded in it. In Section |4j we compare 
TLTL with other reaLtime extensions of LTL including XCTL, TPTL, and 
MTL. In Section [5] we describe a tableau based decision procedure for the 
validity (and satisfiability) checking of TLTL formulas followed by its complexity 
analysis. Model checking of TLTL formulas over timeout Kripke structures is 
discussed in Section[6]with associated complexity analysis. In Section[7]we prove 
an undecidability result under dense time interpretation without time progress 
constraint. We conclude with a discussion on the directions for future work in 
Section [3 

2 The Logic TLTL 

In this section we will define the syntax and semantics of Timeout based Propo- 
sitional Linear Temporal Logic, TLTL. 

2.1 Syntax of TLTL 

The basic vocabulary of TLTL consists of a finite set V of propositions true, 
false, p,q,..., a finite set T of (global) static timing variables <i,i2,--- In 
addition, we allow a dynamic variable x which represents the clock and a dummy 
variable Assume A = {<,=,>}, and let ^ range over A. We use ]R^° to 
denote the set of non negative real numbers, and N to denote the set of non 
negative integers. 

• The set of atomic formulas (Aj) consists of propositions in V and atomic 
constraints of the form x < y,x = y,x < u,x — u, and x > u where 
u ::= t + c \ c, t ranges over T and c G N is a constant. We will refer 
X < u, X — u and x > u as static constraints and x < y and a; = y as 
dynamic constraints. 

• (unquantified) Formulas are built using the following grammar 

I0V0I-0I O0UZ^0 

where a/ ranges over Af. 

^Variable y is essentially a place liolder for minimum of the timeouts in a timeout pro- 
gram, which will be introduced in Section [6. 1| This abstraction is adopted primarily because, 
according to the behavior of a timeout system as discussed in Section [T] a discrete transition 
in a state may occur only when the current time is equal to the minimum valued timeout. 
For convenience, y will also be referred sometimes as 'minimum of the timeouts'. 
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• Finally, a quantified formula is built using universal quantification over 
timing variables at the outermost level as: 

where = {ti, t2, ■ ■ ■ , ifc} C T is the set of timing variables appearing in 
the (unquantified) formula (f). 

• The additional operators A,=>,<J=^> and modal operators O, □ are intro- 
duced as abbreviations, p =^ q= ^p\/ q, 0(f> = true Ucf), Ocf) = ^[0—^(j}). 



2.2 Semantics of TLTL 

We consider the following point-wise or (timeout) event based semantics for 
TLTL. Towards defining a model for a TLTL formula consider a sequence of 
states of the form 

a : sqSi . . . , 

such that each Si gives a boolean interpretation (true, false) to the proposi- 
tions, and non negative real valued interpretation to the timing variables in T, 
to the clock variable x, and the variable y. 

In a state Si, let us assume that Si{x) denotes the value of the clock variable 
X, Si{y) the value of variable y, and Si{tj) the value of timing variable tj € T. 
It is further required that 

(toi) Monotonicity: Clock x and variable y do not decrease: 
Vi : Si{x) < Si+i(x) and Si{y) < Si+i{y) 



(TO2) Time Progress: To ensure effective time progress in the model a divergence 
conditiorj^ which says that time eventually increases, is required: 

V(5 e M-° : 3i such that Si{x) > 5 



(ma) State Transition: Upon a change of state either timeout variables stay 
constant or some of them increase, that is, for each i: 

• if the clock in state Si is less than the minimum of the timeouts, i.e. 
y, clock advances to this value in the next state s^+i: 

[{s^{x) < s^{y)) =^ {si+i{y) = s^{y)) A {s^+l{x) ^ s^{y))] 

• else, if the clock in state Si is equal to the value of y, in the next 
state Si+i, y advances in the future: 

[(s,;(x) = s^iy)) (sj+i(y) > s,{y)) A {s^+l{x) = Si{x))] 

As a consequence we have for each i, Si{x) < Si{y), that is, timeouts are 
always set in the future. 



This is also known in the literature as 'non-zenoness' or 'finite-variability' condition. 
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(to4) Initiality: For the initial state sq the following hold: either, so{x) = 
■^oiy) = (when X = y holds in so) or = Sq{x) < SQ^y) (when x < y 
holds in sq)- 

(7715) Constant Interpretation for Static Variables: All the states are required 
to assign the same interpretation to the static timing variables, that is, 
for a given formula ■0, 

ytj G : Si{tj) = so{tj), for each i. 

Thus a model for a TLTL formula may contain infinitely many different 
states with different values of the clock and timeout variables. Boolean and 
modal operators are given the usual interpretation. We mention only atomic 
formulas in ^/ which are interpreted in a state as follows. 

Si 1= p iff Si{p) ^ true 

Si \— X ^ tj + c iff Si (x) ^ Si {tj ) + c 

Si \=X'^'y iff Si{x) Si{y) 

Finally, we define a \= 4' ^ff so \= 4' foi' ^-ny interpretation of the static timing 
variables appearing in (f) given in state sq. The formula ijj is satisfiable (valid) 
a (T \= tp for some (all) sequence(s) a. 

For example, consider time bounded response property, which specifies that 
"event q is always followed by event p within 5 time units" . It can be expressed 
by a TLTL formula 

Vto.n(p A (x = to) ^ 0{q /\{x<ta + 5))) (1) 

We can also consider a variant of this as a bounded timeout response property 

stating that "timeout event q is always followed by timeout event p within 5 
time units" , which would be expressed by a TLTL formula 

yto.a{p A{x^y)Aix^ to) 0{q A (x ^ y) A {x < to + 5))) (2) 

A quantified formula ip is termed as closed if all the timing variables appearing 
in it are bounded by a universal quantifier. In the rest of the discussion we will 
only consider closed quantified formulas. Also we will follow usual notational 
convention }Ost89l IPH88[ IHLPQOj of implicit universal quantification and would 
often drop the outermost universal quantification over global static timing vari- 
ables in T. For example, the time bounded response property, specified by the 
TLTL formula (jlj would actually be written as 

n{p A{x = to) 0{q A{x<to + 5))) {(t>BB.TLTL) 

A formula of the form x < z {z :— u\y) is an abbreviation for (x < z)\/ {x = z). 
Similarly x > u abbreviates (x > u) \/ {x — u). Note that x > y is not a valid 
formula in TLTL. 

3 An Embedding of TLTL in MSO 

In this section we explore the relationship of TLTL with monadic second order 
logic (MSO) with time. Towards that we consider an interpretation of MSO 
in integer time structure. Subsequently we provide a straightforward meaning 
preserving translation between TLTL and monadic logic. 
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3.1 Monadic Second Order Theory of Timeout State Se- 
quences 

Next we briefly recall the theory of timed state sequences £j as introduced 
in [AH93| and extend it slightly. This is defined by adding a linearly ordered time 
domain {TIME, -<) with the theory of state sequences, SIS |Buc60| . through a 
monotonically non decreasing function / : N i— ^ TIME that associates a time 
with every state in the sequence. Thus a timed state sequence is a pair (cr', /) 
consisting of an infinite sequence of states a' = s'qs'i . . . and function /. 

Let us additionally consider monotonically non decreasing function g : N t-^ 
TIME representing the minimum of the timeouts in a state. This defines a 
timeout state sequence as a triple {a',f,g). 

Let C2 be a second-order language with two sorts, a state sort and a time sort 
as considered in AH93j . The vocabulary of the congruence free sub language 
of C2 consists of: 

• The sets Var^ and Var^ for state sort. Set Var^ = consists of 
individual (first order) variables and the set Var^ = {p,q,...} contains 
(second-order) set or predicate variables. 

• The binary predicate symbol < over the state and time sort; 

• The unary function symbol / from the state sort into the time sort; 

• The quantification over individual variables in Varj and over predicate 
variables in Var^. 

Let £™ be the language which in addition to £j also contains: 

• The unary function symbols g from the state sort into the time sort; 

• The set of additional unary function symbols yar| = {ti,t2,...} from 
the state sort into the time sort; 

We consider only those formulas which do not contain any free individual vari- 
ables. Further, we restrict our attention to structures that choose the set of 
natural numbers N as domain for both sorts with usual linear order < on them. 
Given a formula cj) of £™ with the free predicate variables pi, . . . ,pn G Varg and 
free function symbols T,0 = {ti, . . . ,tk} C Var|, an interpretation / for (j> spec- 
ifies the sets p{, . . .pf^ C N, monotonically non decreasing functions : N N 
and 5-'^ : N 1-^- N, t{ : N i-> N, . . . , : N 1-^- N. The satisfaction relation |= is 
defined in a standard fashion. 

Every interpretation / for cj) implicitly defines a timeout state sequence 
(cr', /, g): Let a' be the infinite sequence of states Sqs[ . . ., where s- G 2^p^'-'P"^ x 
N'' such that {pj, (ni, . . . ,nk)) & s'^ ^ i € pj and VI < j < fc.tj^(z) = n^. Also 
let f — and g — g^ for notational convenience. 

£™-formulas define properties of timeout state sequences. For example, a 
bounded timeout response property discussed earlier (ref. Eq. ([2|), and can be 
defined by a formula 

Vz.(p(*) A (/(*) = gii)) ^ 3j > i.{q{j) A (/(j) - 9{j)) A (/(j) < f{i) + 5))) 
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An >C™-forinula (p is satisfiable (valid) if it is satisfied by some (every) timeout 
state sequence. Tlie (second-order) theory of timeout state sequences is tlie set 
of all valid formulas of £™. The following result is an immediate adaptation 
of the decidability result from |AH93| : 

Fact 1 (Decidability) The validity problem for the language >C™ is decidable. 



3.2 TLTL as a fragment of C^^ 

Now wc provide a meaning preserving compositional translation of TLTL for- 
mulas into >C™. Every TLTL-formula ip :— Vti . . . tfe.i/) can be translated 
into /C™, while preserving the set of models of V'- The translation will use 
= {ti, . . . ,tk} to capture the static timing variables in = {ti, . . . ,tk}, 
and a free individual variable i G Varj acting as a state counter. For every 
proposition p of TPTL, we use a corresponding unary predicate p{i) of state 
sort. We translate a TLTL-formula ijj to the £™-formula 

rr(V') = Vz.Vtj e T^. [A™, A A„,3 A A„, A A™, A IVo (</>)] 

where semantic constraints of TLTL as defined in Section |2.2| are encoded by 

A^2 • • ■ -^ms ■ 

A„, : V/ e N3m E N./(m) > I 

: [/(*) < 5(*) ^ (gii + 1) = ff(«)) A (/(z -fl) = git))] 
V[/(z) = 9{^) ^ (g(z + 1) > 9{i)) A {f{^ + 1) = /(z))] 

V-[/«>.9W] 
Am, : [(/(O) = 0) A (.9(0) - 0)] V [(/(O) > 0) A (/(O) < .g(0))] 

A™,: [a (tjW=tj(0)) 
\i<j<fc 

The mapping Tr,;, for j > 0, is defined by induction on the structure of TLTL- 
formulas. 

Tri(false) ~ false 

Tri{p) = p{i) 

Tnix ^y) = f {i) g(i) 

Tnix-^tj+c) = /(i)-tj(0) + c 
Tr,((/)V(^) - Tr,(0) VTr,((^) 

Tri(O0) = rr,+i(0) 

Tr,{(j,U^) - 3j > i.(Tr,((^) AVi < fc < j.rrfe(0)) 

Given a model cr — sq.si, . . . of TLTL-formula '0, we can associate an £™ 
interpretation 2 — (cr', /, 5) with Tr{xjj) by making p(i) = 1 if \= p and /(i) = 
Si{x),g{i) = Si{y), and tj(i) = so{tj). Similarly, given an £™ interpretation 
I = (cr', /, g) we generate a model a = Sg, Si, . . .. Now by structural induction 
on (p we can prove the following: 

Theorem 1 Let ^ be a TLTL formula. Then for a given model a of -0, we 
have, a \= ip if and only if (cr', /, g) \= Tr(ip). 
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4 A Comparison of TLTL with Other Logical 
FormaUsms 



The most popular formalism for specifying properties of reactive systems is 
the linear temporal logic |Pnu77| ILP85| . The automatic verification and syn- 
thesis for finite state systems is usually carried out using the tableau-based 
satisfiability algorithm for a propositional version of the linear temporal logic 
(PLTL) |LP85) . PLTL is interpreted over models which retain only temporal 
ordering of the states by abstracting away the actual time instants at which 
events occur. However real-time systems call for explicitly expressing real-time 
constraints to reason about them, such as the bounded response property which 
necessitates the development of formalisms which can express explicit time. 

There are several approaches to extend LTL to express timing constraints. 
The first approach incorporates an explicit variable x, which expresses the cur- 
rent time without introducing any extra temporal operators. This is referred to 
as explicit clock approach, since the only new element introduced is the explicit 
clock variable. An example of a first-order explicit clock logic is Real Time 
Temporal Logic (RTTL) |Ost89| . which is defined without restrictions on the 
assertion language for atomic timing constraints. A propositional version of this 
logic, called XCTL (Explicit Clock Temporal Logic), is discussed in |HLP90| . 
This logic allows integer variables to record the values of the global clock at 
different states, and integer expressions over these variables. 

An alternative approach to express timing properties in a temporal logic has 
been to introduce a bounded version of the temporal operators. For example, a 
bounded operator 0[2A] is interpreted as "eventually within 2 to 4 time units". 
Using this notation we can write the time-bounded response property discussed 
earlier as: 

This approach for the specification of timing properties has been advocated by 
Koymans |Koy90| and is known as as Metric Temporal Logic (MTL). 

In yet another approach, time in a state is accessed through a quantifier, 
which binds ("freezes") a variable to the corresponding time. This idea of 
freeze quantification was introduced by Alur and Henzinger in |AH94] in a logic 
known as TPTL (Timed Propositional Temporal Logic). The freeze quantifier 
"x." binds the associated variable x to the time of the current temporal context; 
the formula x.(l){x) holds at time to iff (/'(io) does. Thus in a formula time 
variable x is bound to the time of the state at which (f> is "eventually" true. By 
admitting atomic formulas that relate the time instants of different states, the 
time-bounded response property can be written as: 

DXp.{p ^ OXq.{q AXq <Xp + 5)) {(f>BRTPTL) 

4.1 TLTL vs XCTL 

The logic XCTL as described in |HLP90| . contains static timing variables and 
an explicit clock variable in its vocabulary. An atomic formula a/ is either an 
atomic proposition in V or a constraint of the form x ^ u oi c ^ u, where 
u = oo -I- ai * ti -I- • • • Om * tm with constants ao, ai . . . € N and c G N, and 
to,ti, . . . ,tm being static timing variables. 
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XCTL formulas arc built using the following grammar 

where af ranges over Af. 

A model for XCTL consists of a sequence of states, 

a : sqSi . . . , 

such that each state Si gives a boolean interpretation to the propositions and an 
integer interpretation to the timing variables and to the clock variable x. Similar 
to TLTL, all static timing variables appearing in a XCTL formula assume the 
same valuation in all the states. 

When compared to TLTL, it turns out that there exist properties involving 
the dynamic variable y, which cannot be expressed in XCTL. For example, for 
a timeout model of a real-time system the following property can be expressed 
in TLTL, - "timeout occurs infinitely often" : 

UO{x = y) (3) 

The following sequence of states satisfies ([s]), 

{0,0}, {0,3}, {3, 3}, {3, 5}, {5, 5},... (4) 

In case of XCTL, only way to effectively characterize the state sequences sat- 
isfying ([3]) is by using constraints of the form a; ~ u or u ~ c. However, since 
static timing variables need to be given the same value in all the states in a state 
sequence, an equality of the form x — u involving only static timing variables 
and constants in the r.h.s. expression u can hold true only for a single value of 
X (and u) in only finitely manly states in a state sequence, where x assumes this 
value. Therefore, we need an infinite disjunction of such equalities to express 
([3| in XCTL, implying that there cannot exist any syntactically correct XCTL 
formula which can effectively characterize the state sequences similar to the one 
given in Q satisfying 

On the other hand, consider XCTL formula 

□ (p A {X = tp) □(g A {X = tq) ^ □(r A (x = tr) => [tq -tp<tr- tq]))) (5) 

This formula specifies that delay between events p and q is always less than the 
delay between q and r. This property cannot be specified in TLTL owing to the 
exclusion of the inequalities involving more than one static timing variable. 

4.2 TLTL vs TPTL 

In |AH94) , Alur and Henzinger proposed an extension of LTL that is capable of 
relating the times of different states. For this purpose, they use freeze quantifi- 
cation by which every variable is bound to the time of a particular state. TPTL 
allows infinite number of variables V = {xi,X2,xz, . . .} over which freeze quan- 
tification can be applied. The formulas of TPTL are built using the following 
grammar, 

a/ |(/)V0 I -0 I Q 4> \ <!> U4> \ x^.cf) 
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where a/ is either an atomic proposition from V or a constraint of the form 
Ml < M2, Ml =d U2, where ui,U2 := Xi + c\c and c > 0,(i > 2 are integer 
constants. Together they form the set of atomic formulas Af. A variable Xi can 
be bound by a freeze quantifier as "xi.", which "freezes" Xi to the time of local 
temporal context. Only closed formulas, where every occurrence of a variable is 
under the scope of a freeze quantifier, are considered. 

The semantics for TPTL formulas is given by a sequence of states a — 
So, si, • ■ • and an interpretation (environment) for the variables in T^, £ : 1/ — )■ N. 
The underlying time domain is taken to be the set of natural numbers N. As 
before, each state assigns a Boolean interpretation to the propositions, and a 
(weakly) monotonic integer interpretation to a (hidden) global timing variable 
T, which is not used in the syntax of the formulas. We consider only atomic 
formulas in and formulas with freeze quantifiers. Let £{xi + c) — £{xi) + c 
and £{c) — c. Also let £[xi := a] denote the environment that agrees with the 
environment £ on all variables except Xi, and maps Xi to a € N. 

P iff Si{p) = true 

St \=£ Ul < U2 iff £{ui) < £{U2) 

Si \=£ Ul =d U2 iff £{ui) =d £{U2) 

Si \=£ Xi.(f) iff Si \= 4'[£{xt) = Si{T)] 

A timed state sequence cr is a model of a closed formula iff Sq \=£ 4> for any 
environment £. 

As already noticed in |AH92| . the static constraints in TLTL can play the 
same role as the freeze quantifier plays in TPTL. For example, consider the 
time-bounded response property (/jbRtltl again. This will be satisfied by only 
those models, which exactly assign a value to to, which is also the clock valuation 
at the instance of the occurrence of the event p, and therefore it is equivalent 
to the TPTL formula 4>bti.tptl- In general, assuming the same set of atomic 
constraints, a TPTL formula 

x.4> 

is equivalent to the TLTL formula 

ytofx = to ^ 4>) (6) 

However, this apparent syntactic correspondence is not without its problems. 
TPTL allows defining timing constraints referring to time instances of two past 
states e.g., 

□ti. O t2.0{alarm A ^2 ><i + 5) 

This formula states that from now, if the time difference between two successive 
states is more than 5 units, eventually an alarm would be raised. Since TLTL 
does not allow referring to two past time instances, there is no syntactically 
straightforward translation for such formulas in TLTL using ^ above. However 
as it turns out, this is really not a problem because such formulas involving 
reference to two past timing instances are semantically equivalent to formulas 
which demand referring to only one previous time instance in the state, where 
the second timing instance would be frozen. In this example an semantically 
equivalent TPTL formula would be 

ati. O t2-{t2 > ti + 5 0{alarm)) 
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which can be translated into an equivalent TLTL formula using ([6]) (omitting 
the outermost quantification) 

a{x = ti^ 0{x {{x > ti + 5) ^ 0{alarm)))) 

It may be also noted that TLTL is suitable in case where one needs to express 
formulas about timed systems with timeouts as the following kinds of condition 
cannot be expressed in TPTL - "timeout always occurs in the next state of time 
increment." 

D{{x < y) ^ Oix = y)) (7) 

The reason that there cannot be any formula in TPTL, which can characterize 
exactly the same set of models as the formula ([t]) does is as follows. Since x 
refers to the time(s) when ([t]) holds, these can only be captured using freeze 
quantifier in TPTL. Now since TPTL inequalities only involve (frozen) variables 
or constants, for variable y also, we need to use these. However, y being a 
dynamic variable would assume infinitely many different values in a model of 
the formula ([T]) , these values cannot be captured using constants (or else would 
demand infinitely many constant based inequalities of the form [x < c ^ Q{x — 
c)]). Therefore, the only option is to potentially use variables under freeze 
quantifier. However, the inequality x < y would demand that such variable 
(that is y) must refer to a future state, since time fiows only in the forward 
direction, in particular, the next state itself. A formula like the one below may 
(appear to) capture such a scenario. 

ax.{{x<y)^Oy.ix^y)) (8) 

However atomic constraints in TPTL cannot refer to the time points of the 
future states as is evident from the very syntax of the freeze quantifier, e.g., in 
case of the TPTL formula First, y is a free variable and then y is bound 
by the (second) freeze quantifier and therefore, both ys are actually different 
variables - such formulas involving free variables are in any case not allowed in 
TPTL. Thus, neither constants nor timing variables based inequalities can be 
used to express the inequalities appearing in the formula ([t]). That is why, the 
state sequences satisfying TLTL formula ([t]) cannot be characterized in TPTL. 

On the other hand, there are formulas in TPTL, which cannot be charac- 
terized in TLTL. For example, consider the state sequences, in which "an event 
p occurs at all even time points." This can be characterized by the TPTL for- 
mula Ox.{x =2 p). However, as proved in I AH93j . this property is not 
expressible without congruences. This in turn, implies that due to the nature 
of arithmetical constraints, this TPTL formula cannot be expressed in TLTL. 

4.3 TLTL vs MTL 

MTL |Koy90| extends LTL by constr aining the temporal operators on (bounded 
or unbounded) intervals of the real numbers specified as subscripts. The formu- 
las in MTL are inductively built using the following grammar 

(j)::=p\(l)\/ (t)\^(t>\(j)Ui cj) 

where p € V is a, proposition and / is a (bounded or unbounded) interval with 
integer (or rational) end-points. An interval is a nonempty convex subset of 
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M-*^, which may assume one of the following forms: [a,b], [a,b), [a, oo), (a, 6], 
(a, 6), (a, oo), where a <b for a,b E The interval / is singular iff it is of 

the form [a, a] (also written as — a). 

The formulas of MTL can be interpreted over a timed state sequence {a, /) , 
where a = s'q, s[, . . . is a untimed state sequence giving Boolean interpretation 
to the propositions and / : N i— ]R-° is a mapping such that f{i) denotes the 
time at state s^. The satisfaction relation (cr, /) |= is defined in a usual way. 
We only mention the case of the formula (f) Ujip: 

/\(Vz < fc < j.(,sfe, fik)) h 0) A (/(j) e /(z) + /)], 

where f{i) + / is defined using simple rules of interval arithmetic, e.g., if / = 
[a, b], then f{i) + I stands for the interval [f{i) + a, f{i) + 6]. 

Since it is well known that the satisfiability and model-checking problems 
for MTL are undecidable over the state-based semantics (under M-"), we will 
consider a fragment of MTL known as Metric Interval Temporal Logic (MITL) 
introduced by Alur et al. |AFH96| , in which the temporal operators can only be 
constrained by nonsingular intervals. Thus 'punctuality properties' like 0=3p 
("eventually exactly after 3 time units p would hold") cannot be specified in 
MITL. 

It is known that any MITL formula can also be expressed in TPTL [AH93| . 
Specifically, if the atomic constraints permit comparison and addition of con- 
stants, then MITL formula 

Ui^ (9) 

is equivalent to the TPTL formula 

lAz.{if> A z G X + I) 

where z € x+I can be expressed using TPTL constraints given the boundaries of 
/. It has been shown recently in BCM05 that TPTL is strictly more expressive 
than MTL for both point-wise and interval-based semantics. Now in the light 
of the discussion presented in previous Section |4.2[ it is easy to see that any 
MITL formula can also be expressed in TLTL. Specifically, MITL formula ^ 
is equivalent to the TLTL formula 

Vto.(a: = io ^ W((p A x e to + I) 

where x € tQ + 1 can be expressed using atomic constraints in TLTL, given the 
boundaries of /. For example, MITL formula, □(p ^ ^[2.5] q) can be expressed 
in TLTL as 

Wto.n{p A X = to ^ 0{q A X > to + 2 A X < to + 5)). 

Also, on the other hand, there exist TLTL formulas (e.g., one given in Q), 
which cannot be expressed in MTL under point-wise semantics. 

5 Decision Procedure for Validity of TLTL for- 
mulas 

We consider a decision procedure for checking the validity of TLTL formulas 
employing similar techniques used in |IILP90| . In order to check the validity 
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of a given TLTL formula ip = \/ti . . . tk.4>, we take the negated formula -^(p and 
actually check for its satisfiability using a tableau like construction by posing 
the question, 'are there positive real values for the timing variables ti,. . . ,tk 
that will make the formula -ii/i satisfiable?' 

5.1 Closure of a Formula 

Let (j) he a. TLTL formula, which is to be checked for satisfiability. We define 
the Fischer-Ladner closure Cl{(p) as the least set containing (j) and closed under 
the following: 

(ci) true, false, Qtme G Cl{^), 

(C2) Vp e V^, p, -'p e Cl{(f)), where V,p is the set of atomic propositions appear- 
ing in (j), 

(cs) -'ip e C/(0) V € C'Z(^) - we identify -'-'tp with ip and -itrue with false, 
(C4) ^ V V' e Cl{(p) ^ip, ip' e Cl{(P), 

(cs) OV' e cm ^ V e cm, 
(ce) - O e cm ^ O-V' e cm, 
(C7) ^ ZYV e cm i', V'', 0(V' W) e 

(cs) x^y e Cl{(p) ^ X < y,x = y e Cl{(p), 
(cg) a; ^ u e Cl{(p) ^ X ^' u e Cl{(p) for every --'g A, 
(cio) ,x < y e ^ 0(a^ = 2/), ^(a: < y) e C?(0) 

(cii) a; = y e ^ 0(a^ < y), 0(a: = y) S C/(</.) 

(C12) a; - u e C/(^) 0{x > u) e C/((/)). 

Intuitively Cl{(p) includes all the formulae that play some role in deciding the 
satisfiability of (p. Using structural induction on (p, it can be shown that |C/((/))| 
<7\(p\+3. 

5.2 Atoms 

An atom A C Cl{(p) is a consistent set of formulas such that 

(ai) true, O'true e A. 

(02) For every ip G -'tp A. 

(as) For every tp V tp' G A 4^ ip e A or ip' e A. 

(04) For every ip Kip' G A ip' e A ot ip, 0{'ip Uip') e A. 

(as) For every x < y,x = y G Cl{(p), precisely one of them is in A. 

(ae.i) For every x < y G A ^ Q{x ^ y) G A. 

(06.2) For every x = y G A ^ Q{x < y) £ A. 
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(ay) For every x ^ u G Cl{(j)), exactly one oi x < u,x = u, or a; > u is in ^4. 

(ag) If C{A) denotes the sot of all constraints in A, it is required that C{A) 
forms a consistent set. In particular, for every x ^ Ui G Cl{(j)), x ^ 
Ui G C (A) only if exactly one of the following holds, where we let Ha = 

X < y G A and {x < y) A {x Ui) A Ha is satisfiable over R-" OR 
X = y G A and (x = y) A (x ^ Uj) A Ha is satisfiable over M-° OR 
X < y,x = y ^ A and {x ^ Ui) A Ha is satisfiable over M.-^ 

Informally, we include a static constraint x ^ Ui G Cl{(t)) in atom A only 
if the resultant set of constraints in A remains consistent. 

(ag) For every x ^ u G A => true U{x > u) G A. 

The requirement that every atom contains the formula Qtrue is to ensure that 
only infinite sequences will be considered as possible models. 
Additionally, we define two special atoms. 

Aq^ — {true, Qtrue, x = 0,x = y, Qi^ < trueZ// {x > 0), 

O {tr\LeU{x > 0))}, and 
Aq^ = {true, O'true, x = 0,x < y, Q){x = y),tTiLeK{x > 0), 

O {trneU{x > 0)), 0{x > 0)}. 

We denote the set of all atoms by At, which also contains Aq^ and Ao< . 



5.3 Tableau Construction 

We construct a structure = {At,R), which is a directed graph with atoms 
as nodes; and its edges are defined by the relation R as follows: 

1. for every Qa € 
Qa G A-^ a G B, where a e U C{(f)); 

2. for every x = u G Cl{(j)), 
x = ugA=>x = uGBovx>uGB; 

3. for every x > u G Cl{(j)), 
x>ugA=^x>uGB; 



{A,B)gR-^ < 



where C((/i) refers to the set of atomic constraints appearing in (j). 

It is not difficult to see that under the definition of R, the following facts 
hold. 

Fact 2 There is no atom A G At such that {A, Aq^) g R. 

Fact 3 There is no atom Ag At\ {Aq^} such that (A, ^o<) € R. 

In other words, atom Aq^ has no incoming edges and the only permissible 
incoming edge to atom Aq^ is {Aq^ , Aq^ ) G R. Aq^ and Aq^ will be referred 
from now on as initial atoms. Also note that only states, where atom Aq^ 
may hold are those which interpret both clock variable x and minimum of the 
timeout variable y as 0. 

Let A' = {W\ R') be a substructure of and let C be a strongly connected 
subgraph (SCS) of A'. 
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• C is said to be terminal in A' if it has no outgoing edges. 



• C is said to be self-fulfilling if every atom has a successor in C, and 
for every p lAq G A G C, there exists B Cz C such that g G -B. 

• C is said to be useless in A' if it is terminal in A' but is not self-fulfilling. 

5.4 The Timing Relation between Atoms 
Relation between Successive Atoms: 

Consider two atoms A, B from A(jj such that [A, B) G R. Assume the set of 
constraints in A to be C{A) = T{A) U S{A), where T{A) = {Tout} contains 
the (unique) dynamic constraint and S{A) = {Si, . . . , Sm\ the set of static con- 
straints. Further, the set of constraints in B is C{B) ~ T{B) U S{B) where 
T{B) = {T;^ J, and 5(5) = {S[, . . . , S',^} . For every S*, there is a corre- 
sponding S- and for Tout there is a corresponding T'out such that: 

• if 5^ is x < M, S[ is X ^ u. This follows from the condition (07) in 



Section 5.2 for defining an atom, 



if Si is X — u, Sj is either x — u or x > u. This follows from the condition 



(2) for defining R in Section 5.3 



• if S'i is x > u, SI is also x > u. This follows from the condition (3) for 
defining R in Section |5.3[ and 

• if Tout is X < y, Tout is x ^ y. Else if, Tout is x = y, Tout is x < y. This 



follows from conditions (ag.i), (06.2) in Section 5.2 and condition (1) for 
defining R in Section |5.3[ 



The temporal relation between two atoms produces the following results, 
which allow us to select values for x, y satisfying constraints in one atom, once 
the values for which these variables satisfy other constraints are known. Let us 
assume that x, x' denote valuations for clock x, ip, ip' for y, and ai, a2, . . . , afc 
for timing variables ti, t2, . . . , t^. 

Lemma 2 //x'j V"'; Q^ii ck2) • ■ • i ctfc oli"^ ^on negative reals satisfying C{B), there 
exist non negative reals x, V' such that x, "01 Q^ij Q!2: • • ■ : ctfc satisfy C{A) and x < 

Proof. Assume x' ^'4'' lOi satisfy C{B), where a = ai,a2, ■ ■ ■ ^au- We need to 
show that there exist X < x', V' ^ "0' such that XjV'j^ satisfy C{A). We con- 
sider different cases. 



Case 0: If C{A) = 0, that is, is a purely qualitative formula not involving 
any of static or dynamic constraints, choose x = x' ^-^d = tp' . 

Case 1: If S{A) — but T{A) 7^ 0. We choose XiV' based upon the nature 

of Tout- 

• Let Tout = X ~ y G C{A). Now by the definition of timing relation 
between atoms A and B, we have T'out = ^ < ?/ implying that x' < V''- 
So, choose ■0 = X = x'- 
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• Let Tout = X < y G C{A). Again by the definition of timing relation 
between atoms A and S, we have T^^j = x — y G C{B). Therefore 
x' = ip'- We choose ip = ip' and some arbitrary value % e [0, x')- Note that 
this is always feasible since in the only exceptional case when x' = ''P' — 0, 
B would be an initial atom Aq^ and thus A cannot be present (see Fact [5]). 

Case 2: S[A) ^ and there exists a constraint Si G S{A) of the form x = ti-\-Ci 
ov X ^ c {ci,c are constants) as the case may be, then choose x + Ci or c 

which would necessarily satisfy all of Si, ... , Sm following the definition of an 
atom (condition (ag)). Now based upon the nature of Tout, we will choose tp 
and prove the consistency of the choice. 

• Let Tout = X ~ y E C{A). Choose ip = x- Now by the definition of 
timing relation between atoms A and B, we have T^ut = x < y. Therefore 
X' < V'- Now (a: = ti + a) G S{A) ^ {x = U + a) or {x > U + a) G S{B) 
implying x' > ca + Ci. Thus we have, "0 = X = ctj + Cj < x' < ''A'- Similarly, 
for (x c) G S{A). 

• Let Tout = x < y E C{A). Choose ^/j such that < tp < ip' . Again by the 
definition of timing relation between atoms A and B, we have Tout = x = 
y G C{B). Therefore x' = V''- Also (x = + c,) G C{A) => {x = t, + c,) 
or [x > ti -\- Ci) G C{B), which also means x' > + i.e., x' ^ X- 
Similarly, for (x c) G 5(A). 

• r(A) = 0. Choose ^ = x- 

So, in all the situations we can choose x and ?A such that x 5; x' a-^id ^ V"'- 

Case 3: 5(^1) 7^ and there does not exist any constraint Si G S{A) of the 
form X = ti + Ci ov X — c. Let 

• El = {aj + Cj I {x > tj + Cj) G C{A)} U {c \ {x > c) e C{A)} and 
I — max{Ei) if i?; 7^ else I = —00, 

• {aj + Cj I (x < tj + Cj) G C{A)) U {c I (a; < c) G C(A)} and 
TO — min(i?„j) if 7^ else to = 00. 

Note that / < to since /\j 5,; is satisfiable. Again, by the definition of timing 
relation between atoms A and S, we have Vw G -E/. (a; > w) G S{A) ^ {x > 
w) G ^(-B) implying that I < x' ■ Therefore, choose x such that 

A _ A A ^^^^ 

^ < X < if X > ™ 

Such a choice of x satisfies all of 6*1, ... , Sm. Now based upon the nature of 
Tout, we choose the values of x and tp and prove the consistency of such a choice. 



• Let Tout = X = y G C{A). Choose any value for x satisfying (10 1 and 
choose Ip = X- Since x ^ x' < "0'; we have x ^ x' and ip < ^p' . 

• Let Tout = X < y G C{A). Choose ip ~ x' ■ Because Tout A /\i Si is 
satisfiable, we must be able to choose x such that x < V'j which implies 
that X < x'- 



• T{A) = 0. Choose any value for x satisfying (10 1 then choose xp ~ x- 

So in both the situations we can choose x and ip such that x ^ x' and ip < ip' . 
Hence. ■ 
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Relation between Atoms in a Self-Fulfilling SCS: 

In a self-fulfilling SCS every two atoms have the same set of static constraints, 
but they differ in the dynamic constraint. 

Lemma 3 Let A and B he two atoms in some self-fulfilling SCSC, then S{A) = 
S{B), and all the static constraints must be of the form x > u. 

Proof. Since A, B G C and C is a SCS, hence by definitions of atom and relation 
R, X > u € S{A) ^ X > u G S{B). It remains to show that (x ^' u) ^ S{A), 
where ^'g {<, =}. Assume that it is not the case, which means, x ^' u G C{A). 
By the definition of an atom, true U{x > u) G A. Since C is a self-fulfilling 
SCS, there must be an atom D G C such that (x > ?i) e S{D). It follows that 
{x > u) G S{A) as well because A is reachable from D, a fact that contradicts 
the definition of an atom. Therefore, we conclude that x ^' u ^ S{A). Since 
this will be true for atom B as well, it follows S{A) — S{B). ■ 

Lemma 4 If Xi'ipiOt is a satisfying solution for C {A) and A G C (a self-fulfilling 
SCS), for every B gC such that {A, B) G R, there exist x') V"'? ^^c/i that V') ^ 
satisfy C{B) and x' > X) V'' ^ V"- 

Proof. We consider only dynamic constraints appearing in A and B: 

• [x = y) G C{A) A{x <y) G C{B). Choose x' = X and any V' > V'- 

• {x<y) G C{A) A{x = y) G C{B). Choose x' = ^' = V"- 

• T{A) = T{B) = 0. Choose arbitrarily x', V"' S such that x' > X, V'' > 
ij), and x' ^ V''- 

Note that from Lemma 2, every atom in C contains all other constraints of the 
same form x> u, which are immediately satisfiable by any x' > X- ■ 

5.5 Fulfilling Paths and Satisfiability 

An infinite path tt = Aq,Ai,---, (where Ao,Ai,--- are atoms) is called a 
fulfilling path for (j) if for every i > 0: 

1. (t>GAo. 

2. {A,,A,+i) G R. 

3. For every p Uq G Cl{(p), \i p Uq G Ai, then there exists some j > i such 
that qG Aj. 

Theorem 5 The formula (j) is satisfiable if and only if there exists a fulfilling 
path for (j) in A^. 

Proof. If (f) is satisfiable and cr is a model for it then the corresponding 
fulfilling path can be given by tt = Aq, Ai, • • • , where Ai = {p G Cl{(j}) \ cr' |= 
P}- 

On the other hand let tt = Aq, ^i, • • • , be a fulfilling path for <f). Define a 

model (T = So, si, • • • , for (j) such that each state Si (Vi > 0), interprets proposi- 
tion p as true iff p is in Ai. Since tt is an infinite path, beyond a certain point 
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(say Ak), all the atoms in tt must be repeating infinitely often. These infinitely 
repeating atoms must be reachable from each other, and hence must be con- 
tained in a self-fulfilling SCS C. Let ai, a2, ■ ■ ■ , C(k, Sk+i{x), Sk+i{y) be any solu- 
tion that satisfies C{Ak+i)- Using Lemma[2] we can trace the path tt backwards 
till Aq assigning values {so{x) < Si{x) . . . < Sk-i{x) < Sk{x) < Sk+i{x), so{y) < 
si{y) < ■•■ < Sk-iiv) < Sk{y) < Sk+i{y)) to {x,y) in atoms Ao,Ai,...Ak on 
the way, which satisfy constraints in C(Ao), C{Ai), . . . C{Ak). Also using Lem- 
mas |3]4] we can assign values {sk+i{x) < Sk+2{x) < Sk+3{x) . . . , Sk+i{y) < 
Sk+2iy) < Sk+siy)---) foi' the future states Sfc+2, Sfc+3, • ■ ■ , ■ Clearly cr is a 
infinite sequence of states satisfying the formula </>. ■ 
From this theorem we conclude that it is sufficient to look for a fulfilling 
path for (f> in in order to determine the satisfiability of (p. 

5.6 Satisfiability Checking 

The fulfilling path for a TLTL formula (j) can be constructed as follows: 

let A* = {W* ,TZ*) = A^ be the initial structure resulting from the construction 
described in the Section [531 

while(^* ^ OR A* does not contain any useless maximal SCS) 
begin 

let C be a useless maximal SCS in A* 

w* = w*\c 

n* ^n*r\ (w* x w*) 

end 

if (there is an atom A in W* such that (j) E A) 

then report success 
else report failure. 

Theorem 6 The formula (j) is satisfiable if and only if the above algorithm 
reports success. 

The algorithm succeeds if and only if the tableau A^ contains a finite path 
TT = ■ ■ ■ I Ak that starts at an atom Aq, containing 0, and reaches Ak at a 
terminal self-fulfilling SCS C. This path can be used to construct a fulfilling 
path for (p. Hence by Theorem [5j is satisfiable if and only if the algorithm 
above reports success. ■ 

5.7 Complexity Analysis 

For the complexity analysis we would require the following result. 

Lemma 7 Checking that the constraints appearing in an atom are satisfiable 
over M.-^ can be done in time 0{\Cl{(j))\) . 

Proof. There exists a well known polynomial time procedure |Pra77| to decide 
the satisfiability of a conjunction of linear inequalities of the form ^ < rj + c, 
where ^, 77 are real- valued variables and c is an integer constant, by reducing the 
problem to the problem of deciding the nonexistence of a cycle with negative 
weight in a weighted directed graph such that inequality £, < r] + c induces two 
nodes corresponding to variables ^,77 and an edge (^,77) labeled with — c. 
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Nonetheless, owing to special nature of the constraints considered here, we 
can show that a linear time procedure exists to check the satisfiability of the 
constraints appearing in an atom. Let us partition the the set of constraints 
appearing in atom A as follows: 

C{A) = C^y U C=c U C=y U C>c U C>„ U C<c U C<y, where 

Cxy consists of constraints of the form (x ^ y), 
C=c consists of constraints of the form (x = c), 
C=v consists of constraints of the form {x = t + c'), 
Cyc consists of constraints of the form (a; > c), 
C>^ consists of constraints of the form {x > t + d) , 
C<c consists of constraints of the form (x < c) , and 
C<^ consists of constraints of the form {x <t ^ c'). 

Note {<,=}, and c, c' G N are integer constants, and < e T is a timing 
variable. 

If \C^c\ > 1, then C=c itself is unsatisfiable and so is C{A). Otherwise if 
{x — c) G C=c then check whether constraints in C>c U C<c are satisfiable on 
assigning c to x. If not, then C{A) is also not satisfiable. Otherwise, Vti E T 
such that {x — ti + ci) E C=i,, we can assign valuation c — ci for ti; Vt2 G T 
such that (x < t2 + C2) G C<u, we can assign valuation (c — C2) + z, > : 
(c— C2) + z > 0) for t2; and Vis G T such that {x > ^3 + 03) G C>t,, we can assign 
{c — C3) — z, {z > : {c — C2) ~ z > 0) to t^. Also assign c to y it (x = y) £ Cxy, 
else assign c + 1. 

In the other case, when C=c — 0, calculate I = max(C>c) if C>c 7^ 0, else 
I — —00 and m — min(C<c) if C<c 7^ 0, else m — 00. We define max(C>c) — 
max{c e lR-° | x > c e C>c}, and min(C<c) = min{c € M-° | x < c G C<c}. 
Next we check it I < m. If not, these constraints cannot be satisfied simulta- 
neously. Otherwise we can choose any value of x, Z < x < to, as a solution. 
Satisfying valuations to all timing variables can be assigned accordingly. 

To estimate the time complexity, notice that partitioning of C{A) can be 
done in linear time with respect to the size of the constraint set since in order 
to place a constraint in its correct partition it only requires to check the form 
of inequality and type of variable (constant or variable). All other steps of 
checking satisfiability and assigning valuations to timing variables in T can also 
be carried out in time linear on the size of the constraint set, where size of the 
constraint set is bounded by |CZ((/))| ■ 

Theorem 8 Satisfiability problem for (unquantified) TLTL is PSPACE Com- 
plete. 

Proof. Let \A,p\ denote the size of the structure A,p, which is bounded by the 
number of possible subsets of CZ((/)), that is, \A4,\ < 2°(l'^'('^l)). The number of 
constraints appearing in any atom are also bounded by |CZ((/))| < 7\4>\, therefore 
\A^\ < 2'-'(l'^l^ By LemmalTl consistency checking of these constraints can be 
performed in time 0{\Cl{(j))\}. This results in an overall time-bound 2'^(l'^l) |0| — 
20{\<p\+iog\4>\) ^ 2'^(l"^l). 

Using a similar argument presented in |SC85| . we can conclude that there 
exists a nondeterministic algorithm M, which (generates A^ 'on-the-fly' and) 
accepts (j) iff it is satisfiable. 
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M uses space of the order of \Cl{(j))\. Using Savitch Theorem |Sav70| . it 
can be concluded that there exists a polynomial space bounded (C'(|C/((/))p)) 
deterministic algorithm which can decide satisfiability of a TLTL formulae. 

It is also shown in |SC85| that satisfiability of LTL with U and Q is PSPACE- 
hard. Since LTL is properly embedded in TLTL, it renders satisfiability of 
(unquantified) TLTL PSPACE-complete. ■ 

As a consequence, we also have, 

Theorem 9 Validity problem for (quantified) TLTL is PSPACE Complete. 

6 Model Checking for TLTL 

The model checking problem of deciding whether a TLTL formula ■0 is satisfied 
by all the computations of a given timeout program P with clock, timeout, and 
static timing variables, is conceptually much harder than deciding the validity 
of TLTL formulas. This difficultly arises due to the fact that clock, timeout, and 
static timing variables range over the set of non negative reals, and therefore 
timeout systems are inherently infinite state systems. This render automated 
verification of these systems difficult as most of the model checking techniques 
proceed by exhaustive enumeration of the state space. 

Therefore we consider a restriction of TLTL over N (i.e., clock, timeout, and 
static timing variables assume positive integer valuations). Also we restrict our 
attention to only those timeout systems where increments in the values of the 
timeout variables and thus, the clock increments are allowed only over a finite 
range of values, while taking transitions. 

6.1 Timeout Programs 

The representation of a finite state timeout program that we consider, is given 
by a timeout Kripke structure (TKS) K = {S,S^,E) over the clock x, the set 
of static timing variables T, a finite set TO of timeout variables ti , r2 , . . . , t„ 
used to record the values of timeouts such that TO n T = 0, and a variable y 
which equals minTO = min{ri : S TO}, where 

• 5 is a finite set of locations. Each location s G S gives a boolean interpre- 
tation to each of the propositions and an integer interpretation to static 
timing variables appearing in ^ (i.e., the set T^) in the interval [0,M], 

• 5° C 5* is the set of initial locations defining the values for static timing 
variables for the runs starting from these locations, 

• = {E+ U E°) C {S X N X {NU {*}) x S) - denotes the set of edges 
connecting locations in S. E is partitioned into two disjoint sets E~^ and 
E'^. If (s, /, TO, s') e E^ then I — m ~ 0. For simplicity we omit / and to 
for £'+ edges and represent them as (s,s'). For E'^ edges either / and to 
assume non zero positive integral values, which define the finite range of 
values for incrementing timeouts or, specifies open ended range of values 
larger than I for incrementing timeouts when m is *. 

The operational meaning to E^ and is given as follows. 
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• is the set of delay transitions, whereby clock x advances to minTO, 
that is, if (s, 0, 0, s') S E^, then on taking this transition, the value of the 
clock X is incremented to min TC 

• represents the set of the discrete transitions. For {s,l,m,s') e £'+ on 
a discrete transition at least one of the timeouts attaining the minimum 
value is incremented by some arbitrary value S in [l,m\ (if m G N), or 
6 > I (if m is 

The semantics of a TKS K is defined as follows: We define a timeout com- 
putation of K to be an infinite sequence of timeout states 

cr : {so,XQ,yo,TOo), {si, xi,yi,TOi) , ■■■ , 

where xo,xi, ■ ■ ■ , denote the clock values, yo,yi, ■ ■ ■ , denote the values for the 
variable y, and TOo,TOi, ■ ■ ■ denote sets of values for the timeouts in TO for 
i — 0,1, . . . such that TOi[j] would denote the value of Tj in TOi- All (static) 
timing variables in T assume the same valuation in every state. Thus we have, 

• So G So and either xq ^ yo = min TOo = or = xq < yo = min TOo ■ 

• For every i = 0, 1, . . . 

- ytj e T : Si[tj) = so{tj) 

- yi — min TOi . 

• For every i = 0, 1, . . . 

- either (s^, 0, 0, Si+i) e E^ , s.t. Xi < min TOi A 0:^+1 = minTO;. Also 

TOi+i — TOi, that is, during delay transitions timeouts do not 
change. 

- or {si,l,m,Sij^i) G E^ and 3r, G TO s.t. TOJj] = min TO^, and 

T Oi+i [j] ^TOi [j\ + 5 where 5 G [l,m] if to G N, otherwise 5 > I ii 
TO is Also Xi+i — Xi — min TOi and Vta, G TO \ {tj }. TO j+i [fc] = 
TOM- 

• There are infinitely many i' s such that x^+i = min TOi, which means 
clock and timeouts always advance. 

6.2 A Tableau Construction for the Product of the pro- 
gram K and the formula 

We construct a tableau JC — Atf,xK as the cross product of the tableau for a 
(unquantified) satisfiable TLTL formula and a TKS K. The elements of JC 
are 

• Nx, is the set of the nodes consisting of pairs {A, s) with A G A^ (tableau 
for (f) and s £ K. 

• E/c = E^ U E^ is the transition relation where E^ captures the elapse of 
time and E'^ represents the discrete transition. Let u ::= t + c \ c, which 
is defined in Section [2J] 

- {{A,s), {A',s')) G E+ iff (A, A') G R, (s,0,0,s') G E+ and 
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X <u e C{A) ^ X = u e C{A') or X > u e C{A'), 
X = u e C{A) ^ X > u e C{A'), and 
x<ye C{A) =^x^ye C{A') 
- {{A, s), {A', s')) e E'^ iff {A, A') e R and (s, I, m, s') e E° and 
x^ue C{A) -i^x^ue C{A') 
x^veC{A)^{x<v)^C{A')^ 

• A'o is the set of initial nodes consisting of all pairs (A, s) such that (p E A 
and s E Sq. 

6.3 Model Checking Procedure 

We check if all runs of a program K satisfy a TLTL-formula ip — Vti . . .tk-<p as 
follows: 

Stepl Construct the initial tableau A^cj, for the negated formula ^(f> as de- 
scribed in Section m 



Step2 Construct the tableau product A^^xk as described in the Section 6.2 
Step3 Check if A^^xk contains a self-fulfilling path for ^cj). 

Lemma 10 The TKS K satisfies ^(f> if and only if A^^xk contains a self- 
fulfilling path. 

Theorem 11 The TKS K validates the TLTL specification ip if and only if it 
does not satisfy ^(jj. 

6.4 Complexity of Model Checking 

The size of the product tableau A^^xk is bounded by 0(1^^1 x or Odi^rj x 

2^1"^!), which is linear in the size of the TKS and exponential in the size of the 
TLTL specification (p. Since deciding the presence of a self fulfilling path can 
always be done in the worst case in time linear on the size of the product graph, 
we conclude that the problem if a TLTL-formula ^ = Vti ...tk.4> holds in a 
TKS K can be decided in deterministic time linear in the size of the K and 
exponential in the length of (j). 

Following the argument presented for satisfiability checking in Theorem [8j 
there exists a non deterministic algorithm which checks if A^^xk contains a 
self-fulfilling path for ^(j) using O(|0|) space. This renders the model checking 
also in PSPACE. To check the hardness part, we need to reduce the validity 
problem for TLTL to model checking, which requires defining a TKS K of con- 
stant size such that formula (f) holds iff it is valid in K. Towards that, we 
further assume that the range of static timing variables are restricted to the in- 
terval [0, M] C N, where the value of M can be approximated by the maximum 
path delay in the Timeout Kripke structure defined below. The Path delay for a 
specific (acyclic) path starting from some initial location and ending at some des- 
ignated location is the sum of the maximal possible timeout increments or clock 
delays (replacing open ended timeout increments with arbitrary values) over 



'AH the timeouts with minimum value are incremented on taking the transition (s, s') 
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the transitions across the path. Well-known shortest path algorithms [CLRSOll 
580-642], viz., Floyd- Warshall algorithm, Dijkstra's algorithm, can be easily be 
adapted for calculating such maximal path delay over a given TKS. Now, choose 
^ ^ ^2^u[o,M]^2^u[o,M]^2^u[o,Af] X {0} X {*} X 2^u[o,A/]^ be the complete 

graph over all subsets of P U [0, M]. 

7 Undecidability of Dense TLTL 

We relax the time-progress condition and consider an interpretation of TLTL 
formulas over a dense time domain. We prove the resulting logic to be highly 
undecidable by reducing a Sj-hard problem to its satisfiability problem. 

7.1 2-counter Machines 

A nondeterministic 2-counter machine M consists of two counters Ci and C2 as- 
suming non negative integer values, and a finite sequence of labeled instructions 
(e.g., labeled by numbers 1,2,...) Each instruction may either increment or 
decrement one of the counters, or jump, conditionally upon one of the counters 
being zero. When the machine M executes a non-jump instruction, it proceeds 
non-deterministically to one of two specified instructions. For example, using 
programming pseudo-code notation, j*'* instruction may be either of the follow- 
ing, where i £ {1,2}: 

j : d -.^ Ci + I; goto h 01 h, (11) 
j : Ci -.^ Ci ~ 1; goto k or I2, (12) 
j : if Ci — goto h; else goto I2, (13) 

where h and I2 are instruction labels. The configurations of such a M having 
n > instructions are represented by triples {i,c,d), where < i < n is the 
instruction label, and c > 0, d > are the current values of the counters Ci, and 
the counter C2 respectively. The relation between consecutive configurations can 
be defined in an obvious way. A computation of M is a w sequence of related 
configurations, beginning with the initial configuration, which is usually taken 
as (0, 0, 0). Importantly, 2 counter machines are Turing complete ILMl'Dli . For 
more details on counter machines see |HMU061 Chap. 8], |Jon971 Chap. 7-8]. 

The computation of a counter machine is called recurring if it contains in- 
finitely many configurations with the value of the instruction counters being 0. 
It was shown in |AH94j that the problem of deciding if a given nondeterministic 
2-counter machine has a recurring computation is E]^-hard. 

7.2 Dense TLTL 

Let us relax the time-progress condition (TO2) and extend the expressive power 
of TLTL by providing a dense semantics to it, i.e., we assume that between 
any two given time points there is another time point. We assume our time 
domain as non-negative rationals Q-" with dense linear order induced by usual 
'<' relation, which is irreflexive, comparability-permissible and transitive. 

The technique we use to prove the undecidability of dense TLTL follows 
closely the one described in |AH94| Section 4.4] to prove similar result for TPTL. 
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We need a successor function S on the underlying time domain Q-*'. This 
function, when applied to an element in Q-*^ will return an unique element 
greater than the original element. S satisfies the following axioms: i) q < 
S{q) for all q G and, h) q < q' ^ S{q) < S{q') for all q,q' € Q^°. 

Note that owing to the denseness of Q-°, arbitrary many time points could be 
squeezed into a finite interval with the application of successor. For notational 
convenience, S{q) will be represented as in the following discussion. 

We encode a computation of M by using propositions pQ,pi, . . . ,pn,ri and 
r2, precisely one of which is true in any state. The configuration (j, c, d) of M 

c d 

is represented by the finite sequence , fi , . , r i , 7-2 , . ^. , of states. 

The initial configuration (0, 0, 0) can be encoded using a proposition po- The 
recurrence condition can be encoded as (DOpo)- It is possible to have the A:-th 
configuration of a computation of M correspond to the finite sequence of states 
that is mapped to the interval [t, We force the time to increase by a strictly 
positive amount between each successive states using U[x = t Q){x > t)). 
Now we can copy groups of r-states by establishing a one-to-one correspondence 
of rj{i — f,2)-states at time t and time t+. In the following we assume that 
to,ti,t2, ■ ■ ■ , stand for static timing variables. 



Let us consider the instruction ( 11 ) j : C2 := C2 -I- 1; goto h ot I2, which in- 
crements the counter C2 and proceeds nondeterministically to either instruction 
h or ^2- We can encode this computation by the following TLTL-formula: 



□ ((/. {iPi A V2 A ^3(^1) A Mr2) A ^Pl^)) 



where 



(p : X = t Apj 

^1: Oix ^ t+ A {pi,\/pi,)) 

V'2 : 0{x ^tiA 0{x = t2Ax<t+)^ 0{x = t+ A 0{x = t+))) 

^3{rj) : a{{x = ^3 A X < <+ A rj) =^ 0{x = t+ A rj)) 

: □((x ^UA Oix - t+)) 0{x = t+ A 0*^2 A O O - t++))) 

The formula (j) specifies that the current state at time t corresponds to instruc- 
tion j. The first conjunct ipi ensures the proper progression to one of the two 
specified instructions, li or I2 at time i^. The second conjunct 'ip2 establishes a 
correspondence between states in successive intervals [t,t^) and rep- 
resenting configurations while the formula V'sl^j) copies rj-states in the corre- 
sponding states from first interval to the next. The last conjunct ■(/'I^ adds a 
r2-state at the end of next configuration, as required by the increment opera- 
tion. In case of counter Ci getting incremented, we will have ^04^ instead of ip^^ 
specifying an addition of a ri state at the beginning of the r-state sequence in 
the next configuration: 

iP2 ■■ □((a; = tAO{x = UA{{riVr2)V{pi,Vpi,)))) 0{x > t+ Ax < t+AriAO{x ^ t+j)) 



Next, for the instruction {12) j : C2 C2 ~ 1; goto l\ or ^2, which specifies 
a decrement operation on C2, we copy all r\ states as specified by '\\)3(r\) above. 
However wc copy the r2 states excluding the last copy in the sequence. This is 
achieved by first modifying '03 for r2 as follows: 

i>'z{r2) : □((x = ^3 A a; < t+ A r2 A - O (a^ = ^ <>{^ = 4 ^ r2)) 
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and then rewriting i/j^^ as 

iPlJ : U{{x = i4 A X < t+ A r2 A 0(2^ = i^)) ^ (x = i| A Qi^ = f^^))) 

In case of decrement on Ci, we copy all the r2 states as specified by "03(^2), 
however copy the ri states only after excluding the first copy in the sequence. 
This is achieved by modifying tp^ for ri as follows: 

V'^(ri) : □(V'f" A 03 °)> where 

: {x = t3/\x<t+ /\ri)^0{x^t^ Ari) 
: ^(a; = t A 0{x ^t^A ri) =^ 0{x = t+ A ri)) 



Finally, we encode the if-else instruction ( 13 1 j : if Ci = goto h; else goto I2; 
as following: 



□ (0^ (i^iAV2A0^(ri)A^^(r2))) 



where 



ij[ : {{x^tA0{r2V{pi, V J)) ^ 0(.t = <+ A J) 

\/{{x = tAO{r^))^0{x^t+ Api.^)) 
iP'^ : a{x = tiA 0{{x = t2Ax <t+)^ 0{x = t+ A 0{x = t+)))) 

■03(rj) : □((x = ts A X < t+ A rj) ^ 0{x = 4 A r^)) 

In case of j : if C'2 — goto h; else goto I2, we modify ijj'i as follows: 

< : {{x ^ tA^O{r2)) ^ 0{x = t+ Api,)) \/ {{x = tAO(r2)) 0(x = t+ Api,)) 

Thus for this 2-counter machine, M we can construct a formula 0m such that 
0M is satisfiable iff M has a recurring computation. Hence the satisfiability of 
TLTL is E}-hard. 

We observe that the satisfiability of a TLTL formula t/j can be always ex- 
pressed as a Sj-sentence implying the existence of a model for ijj. Since is 
countable, ip will also have a countable model. Thus any state sequence a for tp 
can be encoded by finitely many infinite sets of natural numbers in first-order 
arithmetic; say, one for each proposition p in ip, characterizing the states in 
which p holds. It is easy to see ip, as a first-order predicate holds in a. We 
conclude that the satisfiability of TLTL formulas is in Sj. 

Theorem 12 The satisfiability problem for dense TLTL formulas is Yi\-complete. 



8 Discussion 

While existing real-time logics e.g., TPTL |AH94j can specify clock based dense 
time properties, TLTL is more suitable for expressing properties of timeout 
based real-time models for the given semantic interpretation using timeout dy- 
namics where granularity of time is defined in terms of timeout updates. As 
discussed in Section [6j the infinite state space models of real-time systems can 
be model checked over discrete time TLTL using the proposed abstractions on 
the Kripke structure. 

Though we only consider minimum of the timeout values using a dummy 
variable y, dynamic constraints involving individual timeouts (e.g., constraints 
of the form x < Tj c, where Tj G TO,c G N) can be easily included in the 
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vocabulary of the logic because the existing tableaux procedure presented in 



Section 5.3 can be seamlessly extended using the fact that in any state s it is 
the case, Vr, G TO.s^Tj) > s(y). Similarly extending the logic with constraints 
involving congruences similar to TPTL and arithmetic expressions involving 
more than one timing variables similar to XCTL would enhance the expressive 
power of the logic. Digitizability [H MP92j is yet another important property for 
applying discrete time verification techniques on dense time logics and models. 
Quite often, not all the formulas in dense time logics are digitizable, thus not 
amenable to discrete time verification. It remains to be seen which fragment of 
TLTL is digitizable. We conclude by trying to compare TLTL with Monadic 
Second Order Logic of Order (MSO). It will be a routine exercise to show that 
TLTL can be embedded in MSO, following the work |AH93| . However as a 
future work, it would be interesting to characterize the fragment of MSO, for 
which TLTL will be expressively complete. 
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